I want a ModSecurity rule, which block the access to any url or any Body request Post/Get, if it contains a specific string.
For example i want to block this string : "km0ae9gr6m"
I have this rule in placse but it doesnt seems to be working.
SecRule ARGS "km0ae9gr6m" "log,deny,msg:'Access Denied'"
Which ModSecurity version are you using?
ARGS
variable only includesQUERY_STRING
+POST_PAYLOAD
in version 1.X. If you're running version 2.X, with your above rule, testing with a request as below:you'll see something like this in the
audit_log
:[modsecurity] [client x.x.x.x] [domain domain.com] [302] [/20120813/20120813-1226/20120813-122624-70QXqH8AAAEA AEucDbkAAAAA] [file "/etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf"] [line "305"] [msg "Access Denied"] Access denied with code 403 (phase 2). Pattern match "km0ae9gr6m" at ARGS:b.
In ModSecurity 2.x,
ARGS
expands to individual variables. So, try this:The only thing that I was missing, was Processing phase, in which this rule must be put to make it work. so the actual rule is here.
By this rule, you can easily block any type of response,that you do not want any user to see. Modsecurity will detect it on its way out to server and will block it.
Above answer is correct, use phase:1. You can also use the "@contains" partial string match operator to stop a request that has the unwanted string as part of a longer string. For example, I don't have word press, so when I get requests for wp-login, wp-admin, etc., I can block them all with one rule: SecRule REQUEST_URI "@contains wp-" "id:101,phase:1,deny,status:409,msg:'Denied'"
On a side note, the message from msg: seems to only appear in the logs, the message the user sees I have added in the apache config ErrorDocument 409 "ACCESS STRICTLY FORBIDDEN"